New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Sep 2013
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 282736: Javascript execution bug introduced with Chrome 29.0.1547.57

Reported by, Aug 31 2013

Issue description

Chrome Version       : 29.0.1547.57
URLs (if applicable) : none
Other browsers tested:
     Safari 6: OK
  Firefox 20: OK
       IE 8/9/10: OK
  Chrome 29.0.1547.62: FAIL
  Chrome 29.0.1547.57 and .62 if code is stepped through in debugger: OK

What steps will reproduce the problem?
1. Open the attached file ChromeTest.html in Chrome 29.  This file contains a javascript function that recursively wraps any non-function properties of an object with a function expression (function () { return value; }).  It then tests the returned object with some assertions to see if the mapped object contains the expected values.

What is the expected result?
All assertions should pass.  They do on FF, IE and Safari.  They also do in Chrome 29 if you step through the code in the debugger.  Only if you let it run does it display the issue.  Optimization and/or JIT bug?

What happens instead?
Two of the assertions fail, regarding a property (B) that was a function to start with but which is now mysteriously set to the value of the next property processed, and that next property (C), which becomes undefined.

We were contacted by our users saying several applications we wrote using knockout.js had started failing after Chrome autoupdated to version 29.0.1547.57.  After some probing, we found that the specific problem was with knockout's mapping plugin.  If you're not familiar with that plugin, it recursively converts the properties of an object to knockout's ko.observable type, so that they may be bound to the DOM.  With Chrome 29, some of the properties were being scrambled (coming back with values from different properties), and some were coming back undefined.  The plugin works correctly in all other browsers which we have tested.

We started paring down the plugin until we could find the smallest case that would repro the issue, which is the attached file.

Also attached is a screenshot of a Chrome Dev tools session showing where the assertions fail.
1.8 KB View Download
172 KB View Download

Comment 1 by, Sep 1 2013

When you run the function in try/catch (to disable optimisation), it passes also.

Comment 2 by, Sep 2 2013

Labels: Cr-Blink-JavaScript Needs-Bisect

Comment 3 by, Sep 2 2013

Labels: -Needs-Bisect M-30
Status: Untriaged
Able to reproduce the issue on win7 chrome version 29.0.1547.57 and beta version 30.0.1599.22

Working fine in chrome version 31.0.1618.0 and latest 31.0.1619.1 canary Aura

@kbr, Can you please let us know if further bisect is needed for this issue.

Comment 4 by, Sep 3 2013

+a couple of V8 team members

Comment 5 by, Sep 3 2013

Status: Assigned
Thanks for providing such an excellent test case!

The issue (or at least the test case) was fixed by Assigning to verwaest@ to decide if that's safe enough to backmerge, or if we can develop a simpler version of that fix, or if the bug is actually elsewhere and was just hidden by this refactoring.

Comment 6 by, Sep 6 2013

Labels: Security_Severity-High
This is definitely a quite severe security bug. It allows javascript code to (at least) mutate whatever object pointer is the first two words after the header of an object by writing a constructed double into it (can be easily be constructed to be anything since those doubles can be loaded from typed arrays).

I have a reduced bugfix, but it doesn't have any canary coverage yet though. Either way is fine for me: Merge the entire patch back, including the bugfix, which has canary coverage; or merge the following fix back (without coverage?):

Comment 7 by, Sep 6 2013

Labels: -OS-Windows OS-All

Comment 8 by, Sep 6 2013

Labels: Restrict-View-SecurityTeam

Comment 9 by, Sep 16 2013

Labels: -Type-Bug -Pri-2 Type-Bug-Security Pri-1

Comment 10 by ClusterFuzz, Sep 18 2013

Project Member
Labels: reward-topanel
ClusterFuzz thinks that this bug might be eligible for a reward! Forwarding to reward panel for consideration.

Comment 11 by, Sep 18 2013

Status: Fixed
Marking as fixed since the reduced bugfixes were merged back to both M29 and M30.

Comment 12 by, Sep 18 2013

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Merged Release-0

Comment 13 by, Sep 18 2013

Apparently, unfortunately, the fix wasn't picked up by the latest M29. It's using V8, while the patch was merged as V8

Comment 14 by, Sep 18 2013

That is ok, we don't have any more m29 patches, so this will go straight to m30.

Comment 15 by, Sep 25 2013

Did you saw our new criteria for possibly issuing higher rewards? See
E.g. If you are able to provide a repro that faulted at an address of 0x41414141, it will qualify for the new higher rewards. Or, if you can show that you have control between free and crash points, etc.

Comment 16 by, Sep 26 2013

Labels: -Release-0
Removing incorrect Release-0 which is reserved for bugs impacting stable.

Comment 17 by, Sep 26 2013

Labels: Security_Impact-Beta Security_Impact-Stable Release-0

Comment 18 by, Sep 26 2013

Adam.haile, what name would you like us to use when we give you credit for this bug in the release notes on the Chrome blog?

Comment 19 by, Sep 26 2013

Thanks!  Adam Haile is fine, and my company is Concrete Data (, if you list that as well.

Comment 20 by, Sep 26 2013

Thanks! We will credit you as Adam Haile of Concrete Data.

Comment 21 by, Sep 26 2013

Labels: CVE-2013-2918

Comment 22 by, Sep 27 2013

Labels: -CVE-2013-2918 CVE-2013-2919

Comment 23 by, Sep 28 2013

Labels: -reward-topanel reward-1000 reward-unpaid
Not filed as a security issue, but we still reward for the first time this happens, as it's not always clear.
So, delighted to tag this report with a $1000 Chromium Security Reward.

Comment 24 by, Oct 1 2013

That's awesome!  Thanks so much!  Is there anything I need to do to provide payment information?

Comment 25 by, Oct 18 2013

Labels: -reward-unpaid reward-inprocess
Hey Adam, processing via our e-payment system can take a few weeks, but reward should be on its way to you now. Thanks again for your help!

Comment 26 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 27 by, Feb 28 2014

Labels: -reward-inprocess

Comment 28 by ClusterFuzz, Feb 2 2016

Project Member
Labels: -Security_Impact-Beta

Comment 29 by, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 30 by, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 31 by, Oct 2 2016

Labels: allpublic

Comment 32 by, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment